i'll try my best to describe the problem. so my .htaccess file is somehow being overwritten with malicious code that redirects to a russian url. even if i delete the .htaccess file it reappears within 10 minutes with the same code. i deleted all my databases and removed directories that i rarely accessed. the .htaccess file has always been set to 444. i'm pulling my hair out because i don't understand how this continues to happen. just before making this thread i deleted the .htaccess file so i don't have the code to share. when it comes back i'll post the code so you'll have a better understanding.

Yeah mate, I had the same issue on a whole lot of my domains a while back.

I'd put in a support request and ask if they can clear out the malicious .php files that will be causing this. These files are often named things like mybest_friend.php and located in a labyrinth of sub folders.

Apparently they get in through exploits in wordpress, joomla, wiki etc. Update them all & it probably wouldn't hurt to change your ftp passwords while your at it.

You can check the logs to see if your password has been compromised. I doubt it has in this situation, so changing passwords would have absolutely no effect.

what you do want to do is grep all of your php files for something like eval() or base64_decode() etc. The source of your problem is likely found there. There are many tips on how to do it in these forums as well as the wiki. You can get an idea of how these sort of hacks work by reading this: http://markmaunder.com/2011/08/01/zero-d...ss-themes/

(02-13-2012 08:17 PM)xievon Wrote: Yeah mate, I had the same issue on a whole lot of my domains a while back.

I'd put in a support request and ask if they can clear out the malicious .php files that will be causing this. These files are often named things like mybest_friend.php and located in a labyrinth of sub folders.

Apparently they get in through exploits in wordpress, joomla, wiki etc. Update them all & it probably wouldn't hurt to change your ftp passwords while your at it.

Good luck.

i figured that's probably what would have to happen. i went ahead and deleted even more files and sub-directories. everything that i've read online about this seems to suggest the last resort is to delete everything to be absolutely sure you've removed any exploits. just gonna start from scratch :/ at least i didn't have much worth backing up.

Hello... I'm having the very same problem. I'm deleting everything I can and scanning all my sites for base64, but it's to the point of flinging myself and my computer across the room-- I've got a lot of files and several sites to babysit. Is there anything specific I should be looking for? It's rewriting my htaccess files everywhere before I even delete the old ones.

remote shells, timthumb and other unsecure plugin's to start.. there is much info there, but understanding is the key.

You might also try asking support for help, by opening a ticket via the panel... recent posts suggest it appears they may have developed some tools to help, but help seems to be delayed/slow due to the amount of work. the underlying fact remains you installed it and you need to understand what you installed.

Thanks for this-- it's overwhelming, but I'll find it. I try and minimise plugins, and avoid timthumb and other known scripts. The cleaner script that someone uploaded is proving helpful. My concern is that this is the future of shared servers. I can lock down tighter than... well, than a metaphor I won't indulge. But I'm not a network admin, so I don't know if my efforts are for naught when others on the server could have backdoors with big neon signs on them.
FYI in my case, at least, it seems the culprit was to be found in an old install of ZenCart, which I'd recently dropped onto a subdomain to test some changes for a client. The version (1.38) has known security flaws, and one of my tasks was to try and upgrade the thing. I never found the malicious source file, but deleting the entire test site stopped the reappearing .htaccess problem. I think I'll upgrade it locally...

Good luck to others in the same boat-- check your ZenCart/OSCommerce files...